{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-40079", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.160Z", "datePublished": "2025-10-28T11:48:44.122Z", "dateUpdated": "2025-10-28T11:48:44.122Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-10-28T11:48:44.122Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv, bpf: Sign extend struct ops return values properly\n\nThe ns_bpf_qdisc selftest triggers a kernel panic:\n\n Unable to handle kernel paging request at virtual address ffffffffa38dbf58\n Current test_progs pgtable: 4K pagesize, 57-bit VAs, pgdp=0x00000001109cc000\n [ffffffffa38dbf58] pgd=000000011fffd801, p4d=000000011fffd401, pud=000000011fffd001, pmd=0000000000000000\n Oops [#1]\n Modules linked in: bpf_testmod(OE) xt_conntrack nls_iso8859_1 [...] [last unloaded: bpf_testmod(OE)]\n CPU: 1 UID: 0 PID: 23584 Comm: test_progs Tainted: G W OE 6.17.0-rc1-g2465bb83e0b4 #1 NONE\n Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2024.01+dfsg-1ubuntu5.1 01/01/2024\n epc : __qdisc_run+0x82/0x6f0\n ra : __qdisc_run+0x6e/0x6f0\n epc : ffffffff80bd5c7a ra : ffffffff80bd5c66 sp : ff2000000eecb550\n gp : ffffffff82472098 tp : ff60000096895940 t0 : ffffffff8001f180\n t1 : ffffffff801e1664 t2 : 0000000000000000 s0 : ff2000000eecb5d0\n s1 : ff60000093a6a600 a0 : ffffffffa38dbee8 a1 : 0000000000000001\n a2 : ff2000000eecb510 a3 : 0000000000000001 a4 : 0000000000000000\n a5 : 0000000000000010 a6 : 0000000000000000 a7 : 0000000000735049\n s2 : ffffffffa38dbee8 s3 : 0000000000000040 s4 : ff6000008bcda000\n s5 : 0000000000000008 s6 : ff60000093a6a680 s7 : ff60000093a6a6f0\n s8 : ff60000093a6a6ac s9 : ff60000093140000 s10: 0000000000000000\n s11: ff2000000eecb9d0 t3 : 0000000000000000 t4 : 0000000000ff0000\n t5 : 0000000000000000 t6 : ff60000093a6a8b6\n status: 0000000200000120 badaddr: ffffffffa38dbf58 cause: 000000000000000d\n [<ffffffff80bd5c7a>] __qdisc_run+0x82/0x6f0\n [<ffffffff80b6fe58>] __dev_queue_xmit+0x4c0/0x1128\n [<ffffffff80b80ae0>] neigh_resolve_output+0xd0/0x170\n [<ffffffff80d2daf6>] ip6_finish_output2+0x226/0x6c8\n [<ffffffff80d31254>] ip6_finish_output+0x10c/0x2a0\n [<ffffffff80d31446>] ip6_output+0x5e/0x178\n [<ffffffff80d2e232>] ip6_xmit+0x29a/0x608\n [<ffffffff80d6f4c6>] inet6_csk_xmit+0xe6/0x140\n [<ffffffff80c985e4>] __tcp_transmit_skb+0x45c/0xaa8\n [<ffffffff80c995fe>] tcp_connect+0x9ce/0xd10\n [<ffffffff80d66524>] tcp_v6_connect+0x4ac/0x5e8\n [<ffffffff80cc19b8>] __inet_stream_connect+0xd8/0x318\n [<ffffffff80cc1c36>] inet_stream_connect+0x3e/0x68\n [<ffffffff80b42b20>] __sys_connect_file+0x50/0x88\n [<ffffffff80b42bee>] __sys_connect+0x96/0xc8\n [<ffffffff80b42c40>] __riscv_sys_connect+0x20/0x30\n [<ffffffff80e5bcae>] do_trap_ecall_u+0x256/0x378\n [<ffffffff80e69af2>] handle_exception+0x14a/0x156\n Code: 892a 0363 1205 489c 8bc1 c7e5 2d03 084a 2703 080a (2783) 0709\n ---[ end trace 0000000000000000 ]---\n\nThe bpf_fifo_dequeue prog returns a skb which is a pointer. The pointer\nis treated as a 32bit value and sign extend to 64bit in epilogue. This\nbehavior is right for most bpf prog types but wrong for struct ops which\nrequires RISC-V ABI.\n\nSo let's sign extend struct ops return values according to the function\nmodel and RISC-V ABI([0]).\n\n [0]: https://riscv.org/wp-content/uploads/2024/12/riscv-calling.pdf"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/riscv/net/bpf_jit_comp64.c"], "versions": [{"version": "25ad10658dc1068a671553ff10e19a812c2a3783", "lessThan": "92751937f12a7d34ad492577a251c94a55e97e72", "status": "affected", "versionType": "git"}, {"version": "25ad10658dc1068a671553ff10e19a812c2a3783", "lessThan": "918a399501e28e0cc36dbd1fcfb4208f8aa1e4d1", "status": "affected", "versionType": "git"}, {"version": "25ad10658dc1068a671553ff10e19a812c2a3783", "lessThan": "fd2e08128944a7679e753f920e9eda72057e427c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/riscv/net/bpf_jit_comp64.c"], "versions": [{"version": "6.6", "status": "affected"}, {"version": "0", "lessThan": "6.6", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.53", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.3", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.12.53"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.17.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.18-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/92751937f12a7d34ad492577a251c94a55e97e72"}, {"url": "https://git.kernel.org/stable/c/918a399501e28e0cc36dbd1fcfb4208f8aa1e4d1"}, {"url": "https://git.kernel.org/stable/c/fd2e08128944a7679e753f920e9eda72057e427c"}], "title": "riscv, bpf: Sign extend struct ops return values properly", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv, bpf: Sign extend struct ops return values properly\n\nThe ns_bpf_qdisc selftest triggers a kernel panic:\n\n Unable to handle kernel paging request at virtual address ffffffffa38dbf58\n Current test_progs pgtable: 4K pagesize, 57-bit VAs, pgdp=0x00000001109cc000\n [ffffffffa38dbf58] pgd=000000011fffd801, p4d=000000011fffd401, pud=000000011fffd001, pmd=0000000000000000\n Oops [#1]\n Modules linked in: bpf_testmod(OE) xt_conntrack nls_iso8859_1 [...] [last unloaded: bpf_testmod(OE)]\n CPU: 1 UID: 0 PID: 23584 Comm: test_progs Tainted: G W OE 6.17.0-rc1-g2465bb83e0b4 #1 NONE\n Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2024.01+dfsg-1ubuntu5.1 01/01/2024\n epc : __qdisc_run+0x82/0x6f0\n ra : __qdisc_run+0x6e/0x6f0\n epc : ffffffff80bd5c7a ra : ffffffff80bd5c66 sp : ff2000000eecb550\n gp : ffffffff82472098 tp : ff60000096895940 t0 : ffffffff8001f180\n t1 : ffffffff801e1664 t2 : 0000000000000000 s0 : ff2000000eecb5d0\n s1 : ff60000093a6a600 a0 : ffffffffa38dbee8 a1 : 0000000000000001\n a2 : ff2000000eecb510 a3 : 0000000000000001 a4 : 0000000000000000\n a5 : 0000000000000010 a6 : 0000000000000000 a7 : 0000000000735049\n s2 : ffffffffa38dbee8 s3 : 0000000000000040 s4 : ff6000008bcda000\n s5 : 0000000000000008 s6 : ff60000093a6a680 s7 : ff60000093a6a6f0\n s8 : ff60000093a6a6ac s9 : ff60000093140000 s10: 0000000000000000\n s11: ff2000000eecb9d0 t3 : 0000000000000000 t4 : 0000000000ff0000\n t5 : 0000000000000000 t6 : ff60000093a6a8b6\n status: 0000000200000120 badaddr: ffffffffa38dbf58 cause: 000000000000000d\n [<ffffffff80bd5c7a>] __qdisc_run+0x82/0x6f0\n [<ffffffff80b6fe58>] __dev_queue_xmit+0x4c0/0x1128\n [<ffffffff80b80ae0>] neigh_resolve_output+0xd0/0x170\n [<ffffffff80d2daf6>] ip6_finish_output2+0x226/0x6c8\n [<ffffffff80d31254>] ip6_finish_output+0x10c/0x2a0\n [<ffffffff80d31446>] ip6_output+0x5e/0x178\n [<ffffffff80d2e232>] ip6_xmit+0x29a/0x608\n [<ffffffff80d6f4c6>] inet6_csk_xmit+0xe6/0x140\n [<ffffffff80c985e4>] __tcp_transmit_skb+0x45c/0xaa8\n [<ffffffff80c995fe>] tcp_connect+0x9ce/0xd10\n [<ffffffff80d66524>] tcp_v6_connect+0x4ac/0x5e8\n [<ffffffff80cc19b8>] __inet_stream_connect+0xd8/0x318\n [<ffffffff80cc1c36>] inet_stream_connect+0x3e/0x68\n [<ffffffff80b42b20>] __sys_connect_file+0x50/0x88\n [<ffffffff80b42bee>] __sys_connect+0x96/0xc8\n [<ffffffff80b42c40>] __riscv_sys_connect+0x20/0x30\n [<ffffffff80e5bcae>] do_trap_ecall_u+0x256/0x378\n [<ffffffff80e69af2>] handle_exception+0x14a/0x156\n Code: 892a 0363 1205 489c 8bc1 c7e5 2d03 084a 2703 080a (2783) 0709\n ---[ end trace 0000000000000000 ]---\n\nThe bpf_fifo_dequeue prog returns a skb which is a pointer. The pointer\nis treated as a 32bit value and sign extend to 64bit in epilogue. This\nbehavior is right for most bpf prog types but wrong for struct ops which\nrequires RISC-V ABI.\n\nSo let's sign extend struct ops return values according to the function\nmodel and RISC-V ABI([0]).\n\n [0]: https://riscv.org/wp-content/uploads/2024/12/riscv-calling.pdf"}], "id": "CVE-2025-40079", "lastModified": "2025-10-28T12:15:42.480", "metrics": {}, "published": "2025-10-28T12:15:42.480", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/918a399501e28e0cc36dbd1fcfb4208f8aa1e4d1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/92751937f12a7d34ad492577a251c94a55e97e72"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fd2e08128944a7679e753f920e9eda72057e427c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}